<div dir="ltr"><div><div>Thanks Petr, that certainly makes sense from the point of view of functionality. <br><br>I do think the default is sane, but there are a lot of possible deployment scenarios and my concern is that a junior or time poor admin looking to implement a trusted, secure solution should be made aware of any potential data leakage during configuration, (preferably in big red letters in the documentation, or better still, the install script). <br>
<br></div><div>Though I am reluctant to draw comparisons between IPA and MS AD they do seem inevitable. AD restricts anonymous binds to the <span class="">rootDSE entry by default and as such this may be considered by many to be the expected default. Extra care should therefore be made to point out this difference. To do otherwise risks </span>undermining the confidence of users in the security of the solution.<br>
<br></div></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Fri, Jan 3, 2014 at 4:53 AM, Petr Viktorin <span dir="ltr"><<a href="mailto:pviktori@redhat.com" target="_blank">pviktori@redhat.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="im">On 01/03/2014 02:23 AM, Will Sheldon wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
This is cause for concern. Is there a hardening / best practices for<br>
production guide anywhere, did I miss a section of the documentation?<br>
<br>
What else do I need to secure?<br>
<br>
I understand that there is a tradeoff between security and<br>
compatibility, but maybe there should be a ipa-secure script somewhere?<br>
</blockquote>
<br></div>
We are working on making the read permissions granular, so you can make your own tradeoffs if IPA defaults aren't appropriate for your use.<br>
<br>
The work is tracked in <a href="https://fedorahosted.org/freeipa/ticket/3566" target="_blank">https://fedorahosted.org/<u></u>freeipa/ticket/3566</a> and linked tickets 4032-4034.<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="im">
On Wed, Jan 1, 2014 at 10:41 AM, Jitse Klomp <<a href="mailto:jitseklomp@gmail.com" target="_blank">jitseklomp@gmail.com</a><br></div><div class="im">
<mailto:<a href="mailto:jitseklomp@gmail.com" target="_blank">jitseklomp@gmail.com</a>>> wrote:<br>
<br>
It is possible to disable anonymous binds to the directory server.<br>
Take a look at<br></div>
<a href="https://docs.fedoraproject." target="_blank">https://docs.fedoraproject.</a>__<u></u>org/en-US/Fedora/18/html/__<u></u>FreeIPA_Guide/disabling-anon-_<u></u>_binds.html<div class="im"><br>
<<a href="https://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/disabling-anon-binds.html" target="_blank">https://docs.fedoraproject.<u></u>org/en-US/Fedora/18/html/<u></u>FreeIPA_Guide/disabling-anon-<u></u>binds.html</a>><br>
<br>
- Jitse<br>
<br>
<br>
<br>
On 01/01/2014 07:01 PM, Rajnesh Kumar Siwal wrote:<br>
<br>
It exposes the details of all the users/admins in the environment.<br>
There should be a user that the IPA should use to fetch the<br>
details from<br>
the IPA Servers. Without Authentication , no one should be able<br>
to fetch<br>
any information from the IPA Server.<br>
</div></blockquote><span class="HOEnZb"><font color="#888888">
<br>
<br>
-- <br>
Petr³</font></span><div class="HOEnZb"><div class="h5"><br>
<br>
______________________________<u></u>_________________<br>
Freeipa-users mailing list<br>
<a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a><br>
<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/<u></u>mailman/listinfo/freeipa-users</a><br>
</div></div></blockquote></div><br><br clear="all"><br>-- <br><div dir="ltr"><br>Kind regards,<br>
<br>
Will Sheldon<br>
+1.(778)-689-4144<br>
</div>
</div>